Incident Response, TDR, Vulnerability Management

Chrome saved passwords in plain text not a flaw, according to Google

Go into the password section in Google Chrome's settings panel and you can see that the popular web browser displays saved passwords in plain text. Many consider this a flaw – but not Google.

Software developer Elliott Kember may not be the first one to realize this, but he learned about it for the first time just recently and decided to write about it in a blog post that is gaining some attention.

More often than not, Kember is found using Safari on his Apple computer – a web browser he said does not reveal passwords in plain text – but he occasionally gives Chrome a whirl and decided he would try to import his bookmarks from Safari for consistency.

It struck him as odd that he was not able to uncheck a “Saved passwords” option on the import setting menu that popped up, which quickly led him to discover that all saved passwords can be displayed in plain text in the Chrome settings panel.

“There's no master password, no security, not even a prompt that ‘these passwords are visible,'” Kember wrote in his post.

The response in the media and on internet forums has been negative, but Google maintains this is not a flaw. Passwords are encrypted on Google servers, but Justin Schuh, Chrome browser security lead, responded to Kember in a post of his own by likening boundaries on a user computer to “theater.”

Schuh said any attacker who gains access to an account can dump all session cookies, grab history, install monitoring software or install malicious extensions to intercept browsing activity. His point is that “once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants.”

What about the everyday user who is not an attacker?

This reporter emailed Google asking Schuh how he would respond to the case of a suspicious husband or wife who wanted to snoop on the emails or social media accounts of their spouse. That husband or wife may not have the time, inclination or know-how to learn a workaround, but this makes it easy for them. A Google representative deferred the request for comment. 

“It's amazing how many people miss this point,” Kember told SCMagazine.com. “I had a guy tell me that he was worried about his crackhead brother being capable of exploiting this. That wasn't pleasant to hear, but it did drive home the point.”

Popular web browser Firefox offers a master password feature and Schuh's explanation as to why it does not exist in Chrome – he said it provides users with a false sense of security and encourages risky behavior – has people such as Kember scratching their heads.

“I think Justin Schuh is out of touch with the way people use computers,” Kember said. “There's a big disconnect between what people ‘should' do, and what people ‘actually' do. For instance, supposedly you're supposed to switch user accounts on a computer whenever someone else uses it. But in the real world, people borrow their friends' computers all the time.”

A forum user, signing off as hobbes300, responded to Schuh's post, saying, "Your logic doesn't follow...Don't forget, all security, regardless of how good it is, is just a delay mechanism. It's perfectly valid to delay the easy attacks as well as the hard ones."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.